3

Configured livy server on kerberized CDH 5.10.x and its running fine on port 8998, but curl request giving below error,

curl --negotiate -u : http://xxxxxxx:8998/sessions

Error 403

HTTP ERROR: 403

Problem accessing /sessions. Reason: 

    GSSException: No valid credentials
provided (Mechanism level: Failed to find any Kerberos
credentails)
Powered by Jetty://

unable to get why request is not going through kerberos security layer?

Ajay Kharade
  • 1,469
  • 1
  • 17
  • 31

2 Answers2

2

This error indicates that your kerberos ticket most likely doesn't exist or expired.

Have you run kinit to create your kerberos ticket?

Tagar
  • 13,911
  • 6
  • 95
  • 110
1

For Testing purpose, Can you kinit as hdfs user using (you can find the keytab under HDFS roles machine - Namenode, Datanode /var/run/cloudera-scm-agent/process/hdfs/hdfs.keytab)

kinit -kt hdfs.keytab hdfs/hostname@REALM

or kinit as your user kinit user@REALM

And then try

curl --negotiate -u : -X GET -H "Content-Type: application/json" http://xxxx.xxxx:8998/sessions

In order to find pyspark sessions,

curl --negotiate -u : -X POST --data '{"kind": "pyspark"}' -H "Content-Type: application/json" http://xxxxx:8998/sessions

Paul
  • 1,176
  • 3
  • 12
  • 27
  • 1
    Currently I am running with system user, I tried above command but it doesn't worked, It's giving error as, "kinit: Generic preauthentication failure while getting initial credentials". – Ajay Kharade Dec 05 '18 at 14:36
  • What’s the name of the system user? – Paul Dec 05 '18 at 19:06
  • It's something like sys. This user able to access hadoop services without security issue. – Ajay Kharade Dec 05 '18 at 19:09
  • can you knit as sys and try again – Paul Dec 06 '18 at 00:25
  • -1 as normal users shouldn't use (or shouldn't even have access to) service accounts' keytabs.. and hdfs/_HOST is a service account that used by the HDFS services themselves. hdfs user is a "superuser" that bypasses normal security imposed on other users. so again it's a bad idea to suggest that. – Tagar Dec 06 '18 at 01:30
  • 1
    I agree! I should've added the hdfs kinit for testing purpose. Again, he's using system user(trying to understand what it is) – Paul Dec 06 '18 at 01:36